nix-binary-cache.nix (3346B)
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 cfg = config.services.nix-binary-cache; 6 in 7 { 8 options = { 9 services.nix-binary-cache = { 10 enable = mkEnableOption "Enable nix-binary-cache"; 11 domain = mkOption { 12 description = "domain to serve"; 13 type = types.str; 14 }; 15 aliases = mkOption { 16 default = [ ]; 17 description = "server aliases to serve"; 18 type = types.listOf types.str; 19 }; 20 }; 21 }; 22 config = mkIf cfg.enable { 23 networking.firewall.allowedTCPPorts = [ 80 443 ]; 24 systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/public-nix-cache" ]; 25 services.nginx = { 26 enable = true; 27 appendHttpConfig = '' 28 proxy_cache_path /var/public-nix-cache/ levels=1:2 keys_zone=cachecache:1200m max_size=20g inactive=365d use_temp_path=off; 29 # Cache only success status codes; in particular we don't want to cache 404s. 30 # See https://serverfault.com/a/690258/128321 31 map $status $cache_header { 32 200 "public"; 33 302 "public"; 34 default "no-cache"; 35 } 36 access_log /var/public-nix-cache/access.log; 37 ''; 38 virtualHosts."${cfg.domain}" = { 39 serverAliases = cfg.aliases; 40 # enableACME = true; 41 42 locations."/" = { 43 root = "/var/public-nix-cache/"; 44 extraConfig = '' 45 expires max; 46 add_header Cache-Control $cache_header always; 47 # Ask the upstream server if a file isn't available locally 48 error_page 404 = @fallback; 49 ''; 50 }; 51 extraConfig = '' 52 # Using a variable for the upstream endpoint to ensure that it is 53 # resolved at runtime as opposed to once when the config file is loaded 54 # and then cached forever (we don't want that): 55 # see https://tenzer.dk/nginx-with-dynamic-upstreams/ 56 # This fixes errors like 57 # nginx: [emerg] host not found in upstream "upstream.example.com" 58 # when the upstream host is not reachable for a short time when 59 # nginx is started. 60 resolver 8.8.8.8; 61 set $upstream_endpoint https://cache.nixos.org; 62 ''; 63 locations."@fallback" = { 64 proxyPass = "$upstream_endpoint"; 65 extraConfig = '' 66 proxy_cache cachecache; 67 proxy_cache_valid 200 302 60m; 68 expires max; 69 add_header Cache-Control $cache_header always; 70 ''; 71 }; 72 # We always want to copy cache.nixos.org's nix-cache-info file, 73 # and ignore our own, because `nix-push` by default generates one 74 # without `Priority` field, and thus that file by default has priority 75 # 50 (compared to cache.nixos.org's `Priority: 40`), which will make 76 # download clients prefer `cache.nixos.org` over our binary cache. 77 locations."= /nix-cache-info" = { 78 # Note: This is duplicated with the `@fallback` above, 79 # would be nicer if we could redirect to the @fallback instead. 80 proxyPass = "$upstream_endpoint"; 81 extraConfig = '' 82 proxy_cache cachecache; 83 proxy_cache_valid 200 302 60m; 84 expires max; 85 add_header Cache-Control $cache_header always; 86 ''; 87 }; 88 }; 89 }; 90 }; 91 }